Hundreds of Dark Web mirror sites ‘booby-trapping’ Tor users
Wed 1 Jul 2015
Tor users are being warned about hundreds of fake and booby-trapped .onion websites after the founder of Dark Web search engine ahmia.fi noticed a clone of his own site online.
Juha Nurmi, who operates an open source .onion search engine, found over two hundred fake replicas of Dark Web pages, including the popular Tor version of DuckDuckGo.
“I noticed a while ago that there is a clone onion site for Ahmia. Now I realized that someone is actually generated similar onion domains to all popular onion sites and is re-writing some of the content,” he wrote.
His Tor-Talk post suggests that there are several copies of the targeted website, each with similar addresses. Unlike on the traditional World Wide Web, unindexed Tor pages are typically located through directories rather than across search engines and often have complicated URLs – thus making it easier for fake addresses to go unnoticed.
For example he shows the similarity between the real and mirror DuckDuckGo addresses:
Nurmi added that the fake sites are working as transparent proxies to the real pages, allowing hackers to launch attacks against their targets.
“The unknown attacker tries to direct users to these fake sites […] These sites are actually working as a transparent proxy to real sites. However, the attacker works as MITM and rewrites some content. It is possible that the attacker is gathering information, including user names and passwords,” he claimed.
The Dark Web is an anonymous platform used by antis, journalists and proponents of free speech. However the lawless portal also provides a safety net for those engaging in criminal activities such as trafficking, terrorism and distributing child pornography.